Westpoint Security Advisory
---------------------------
Title: Safari XMLHttpRequest HTTP header injection
Risk Rating: Low
Platforms: MacOS and Windows
Author: Richard Moore
Date: 25 June 2007
Advisory ID#: wp-07-0002
URL: http://www.westpoint.ltd.uk/advisories/wp-07-0002.txt
CVE: CVE-2007-2401
Overview
--------
The XMLHttpRequest object is intended to enforce a same-origin security policy,
and to prevent the injection of HTTP headers that can be used maliciously.
Unpatched releases of Safari on both Windows and MacOS X allow JavaScript to
bypass these restrictions. It is possible to insert arbitrary HTTP headers into
the request, including the Host header.
Apple has released APPLE-SA-2007-06-22 Security Update 2007-006, and
APPLE-SA-2007-06-22 Safari 3 Beta Update 3.0.2 which address this issue.
Details
-------
It is possible to bypass the security restrictions of the XMLHttpRequest
setRequestHeader function to include arbitrary headers by specifying values
containing newline characters. For example, a request such as this is treated
as valid:
xmlhttp.setRequestHeader('Foo', 'baa\nHost: test\n');
and results in:
GET / HTTP/1.1
Accept-Encoding: gzip, deflate
Accept-Language: en
Foo: baa
Host: test
Impact
------
This allows a malicious site to cause the user's browser to attack other sites
that are virtual servers on the same IP address (eg. via SQL injection or
cross-site scripting). Potentially any header can be injected. If the user is
accessing the web via a proxy then potentially any site can be attacked.
Timeline
--------
14/06/2007 Apple informed of the vulnerability
22/06/2007 Patch released
25/06/2007 Confirmed that the fix addresses the issue
25/06/2007 Westpoint advisory release